Endpoint Protection

 View Only

Creating a Transform (*.MST) File to control installation of Symantec Endpoint Protection 

Jun 27, 2009 05:02 PM

This article is part of a series describing how to leverage Group Policy Software Installation to install SEP. All automatically and without touching SEPM when you deploy a computer.

GPO Installs and SEP, Part 1

How to leverage Group Policy Software Installation to install SEP Clients.

GPO Installs and SEP, Part 2

How to turn GPO-installed SEP Clients into Managed Clients and assign them to the correct Group. Even if you don’t use GPO installs, this article makes your SEP installation more robust.

GPO Installs and SEP, Part 3

How to comply with Symantec’s supported upgrade path for MP installations.


What is a Transform?

A Transform (*.MST) file allows you to collect installation options for programs that use the Microsoft Windows Installer in a file. They can be used on the Installer (MSIEXEC.EXE) command line, or used in a software installation Group Policy in a Microsoft Active Directory domain.

How can they help me with SEP?

For Symantec Endpoint Protection (SEP), I have found MSTs most useful for controlling the features installed on SEP clients. As a bonus, when SEP is installed using MST files, it is no longer possible to install or remove individual components using Add or Remove Programs in Control Panel. This is a bonus for controlling configuration of a managed system.

How do I create one?

We will use Orca, a free utility from Microsoft, to generate the Transform. This Microsoft Knowledge Base article tells you how to obtain and install Orca:

  1. Launch Orca, click File/Open, navigate to the SEP *.MSI file and click Open. For current versions of SEP, the filenames are Symantec Antivirus.msi and Symantec Antivirus Win64.msi.
  2. In the Tables pane, click Property.
  3. Symantec Antivirus Win64.msi open in ORCA
  4. Click Tables/Add Row. The Add Row dialog box opens.
  5. Click the Property row and enter ADDLOCAL.
  6. Add Row dialog box
  7. Type the names of the Features you want included in this installation, separated by commas. (See below.)
  8. Click OK.
  9. Click Transform/Generate Transform and save the MST file with a descriptive name. I use the names of the features included in the Transform as the filename.

What are the SEP features, and how do I specify them?

They are listed in the Installation Guide together with their dependencies. In the version of the Installation Guide current at this writing, (as included in SEP 11.0 MR4 MP2), they appear in Appendix A in a section entitled “Client installation features and properties.”

Use that as a guide for specifying features--except--contrary to the documentation, be aware there is no feature named “ÉmailTools”. If you include EmailTools in the list, your MST will not work. This may be relevant for using SETAID.INI, but it does not apply to the MST.

For example, to install Antivirus/Antispyware, Proactive Threat Protection, Outlook E-mail snap-in and POP/SMTP e-mail snap-in, you would type this:


How do I use the MST?

Detailed discussion is beyond the scope of this article, but assuming basic familiarity with the MSIEXEC command line and Group Policy software installations, here is what you do:

On the command line

MSIEXEC Symantec Antivirus.msi TRANSFORMS=MyTransform.mst

In a Group Policy Object

1. Create a new Software Installation Package in the Computer Settings node of Group Policy Object Editor.
2. Select the SEP MSI file, and then click Advanced. (This is the ONLY opportunity you will have to apply a Transform to this Package.)
3. On the Modifications tab, click Add and select the MST file you created.

Can I put x86 and x64 Packages in the same GPO?

Nothing wrong with that. On the Deployment tab of the x86 Package, click Advanced and turn off Make this 32-bit X86 application available to Win64 machines. Even if you forget, the x86 version won't install, but it will waste a minute or two during every bootup trying. At this writing, some SEP features are not supported on x64, so you'll likely need to use different MST files for the x64 product.

This installs an unmanaged SEP client. How do I make it managed?

This companion article shows you how to use Startup Scripts to drop an appropriate SYLINK.XML file on each client. It has the added benefit that your SEP installation will be more robust, because you can ensure that clients will always be able to find a SEPM without any action from you, even in situations Symantec has not anticipated.


How do I meet Symantec's requirements for installing MPs only over their corresponding MRs with GPO installs?

An upcoming article discusses this very issue.

Can you share the MSTs you've used, to save us some time?

Sure! https://www-secure.symantec.com/connect/downloads/sample-mst-files-use-group-policy-or-msiexec-command-line-sep-installs

0 Favorited
0 Files

Tags and Keywords


Apr 02, 2012 05:42 PM

JRV, I work for Symantec, and you're the best resource I've seen on this to date.


Mar 14, 2012 09:59 AM

Good one.

Mar 14, 2012 02:23 AM


good artical ..ths helped me lot. i have doubt it that. when we need to create mst,wheathre the application has been installed in the system?? or without installing the application we can create .mst??

Sep 16, 2009 02:51 PM

I don't think this will be much of a revelation to anyone: GP works, it's easy to set up, as close to 100% reliable as anything ever gets in IT, and included in the OS license. (That latter point is HUGE for my clients!) OTOH, Altiris, SMS, MSSC et al give you reporting and more granular control.

Your AD design may or may not give you the granularity you need; you'll need to determine that.

Once you've puzzled out a successful install, GPO installs thereafter pretty much Just Work, so there's not much to report in businesses I support. Or you may have a 3rd-party auditing product that tells you what's installed. SEPM will tell you, for that matter. But in larger organizations and in particular those with formal compliance requirements to meet, you may need reporting integrated with your install technology, and GP won't give you that.

Sep 16, 2009 01:56 PM

Do you talk about the advantages of GPM over using the Altiris Integration Component?  The reason I ask is because I'm about to deploy SEP to over 3500 machines including 4 remote branches and I'd like to decide ASAP the best approach.

This method seems pretty slick.


Jul 30, 2009 09:32 AM


Jul 30, 2009 07:21 AM

Very usefull in managed environment.


Jul 20, 2009 06:20 PM

@Everyone: Thanks!

@Olvan: 谢谢 !(translation from bing.com and freetranslation.com...hope it's correct!)

@Rich: Funny you should mention that...

I've not found a way to do this with an MST. I'd love it if there was. (If Symantec knows differently, please advise!)

But if you click here:


--all will be revealed.

Jul 20, 2009 05:28 PM

It would go here:

<RegisterClient PreferredGroup="My_Company\My_Group" PreferredMode="1"/>


Jul 19, 2009 09:44 AM

Thnak you for this post it can help me in the future migration of SEP

Jul 14, 2009 11:51 AM

 Yes, it is. You have to add it in PROPERTY table.


Jul 14, 2009 10:29 AM


Just to confirm the REBOOT property goes into the PROPERTY TABLE?


Jul 14, 2009 10:14 AM


IF you don’t want to restart the workstations after installation add the following row “REBOOT” with following value “REALLYSUPPRESS” in to Property Table.

Additional info about the MSI commands for SEP:


Jul 14, 2009 09:11 AM

I have been using something similar and I cannot find where to modify the transform so that the installation suppresses the reboot needed after the installation
any ideas?

Jul 12, 2009 03:29 AM

Nice information, help me a lot.

Jul 08, 2009 11:09 AM

Nice job Jeff, very useful

Jul 07, 2009 11:29 AM

I don't believe this can be done in the MST - but maybe you can point me in the right direction.  Supposedly when you create an install package on the SEP server, the target group that you intend it to be added to will be included in the Sylink.xml file (which has to be in the installation directory for the MSI if i'm not mistaken).   It doesn't seem to be happening with ours.  Where in the XML are you supposed to plug in the line for specifying a group?

Jul 06, 2009 09:59 PM


Jul 06, 2009 12:08 PM

Thanks! Have been wondering how I could bundle a flavor of SEP into the corp deployment. This is probably the most useful article I have seen in a while. Thanks!

Jul 05, 2009 07:55 AM

wow! This is a great article, A useful one! Thanks! :D

Jul 04, 2009 01:49 AM

Thank you for this very helpful article,

Need this kind of help in future even.

I realy hope you will continue.

Thanks & regards

Ranga Abeyratne

Jul 02, 2009 12:19 PM

Thank you for this Article!
Realy thank you for write this.
I Hope You will continue
Best Regards.

Jul 02, 2009 07:59 AM

Very good article!

Thanks for sharing this information.


Related Entries and Links

No Related Resource entered.